ci: add zizmor to static check GitHub workflows #1656
Conversation
tonyandrewmeyer
changed the title
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
|
FYI, if you want to just run |
benhoyt
left a comment
benhoyt
left a comment
There was a problem hiding this comment.
I admit to being a little skeptical about adding a 3rd party tool for this, but I'm willing to try it. What do you think about the alternative of changing the repo Workflow Permissions to read-only instead?
| uses: actions/checkout@v4 | ||
| with: | ||
| repository: ${{ matrix.charm-repo }} | ||
| persist-credentials: false |
There was a problem hiding this comment.
It seems to me that if we set the top-level or repo-level permissions to none (read-only) we don't need this, right? Because even if they're persisted they won't be able to do anything but read. If that's the case, it seems like it adds a fair bit of noise.
There was a problem hiding this comment.
Security is best when layered. Admittedly, there's quite a bit of overlap in the layers here, but it doesn't seem like a lot of noise to me (when you look at the files in total, rather than a PR that's adding this line in several places). This is another case where it seems clear that this would have been the better default, but we can't fix that.
In terms of the actual risk, I believe you're correct, though - it doesn't seem like read-only credentials to a public repository are useful in any way to an attacker.
There was a problem hiding this comment.
Fair. I've just changed the repo Workflow permissions to read-only as well.
| uses: astral-sh/setup-uv@v5 | ||
|
|
||
| - name: Run zizmor 🌈 | ||
| run: uvx zizmor --format sarif . > results.sarif |
There was a problem hiding this comment.
Should we pin the version of zizmor, for stability/security?
There was a problem hiding this comment.
@james-garner-canonical is going to pin all the workflows, I believe, so I figured I'd leave it for then.
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Upload SARIF file |
There was a problem hiding this comment.
Where does this upload appear, and what does it include?
There was a problem hiding this comment.
That's mostly explained in this comment. It looks like this example. The GitHub docs have more information about SARIF and what's included in the file.
I figured that would be the case, which is why I picked you as a reviewer :)
For what it's worth, I've seen a lot of positive mentions of the tool over the last ~6 months, including recommendations from people whose opinion I trust, like Seth Larson (Python Security Developer in Residence), Mike Fiedler (PyPI maintainer), Ned Batchelder, Alex Gaynor, and Paul Kehrer. It's not an Astral tool but it's sponsored by Astral, which has some weight, I think. I'm also reluctant to add new dependencies, even CI ones, but it seems like there's an active focus on attacking CI and that this is the most highly recommended static analysis tool. It can't do much damage (false security reports would be the only thing I think), and uses minimal resources (yet another Rust tool run with uvx).
I think it's definitely worth addressing the risks that the tool identified. Switching the repo permissions would cover most of that. I think we should also do the recommended template injection remediation and change the trigger for the conventional commit check. If we go that route instead then what about keeping it as a pre-commit tool (for those using pre-commit) and considering the CI another time instead? It'd be the |
benhoyt
left a comment
benhoyt
left a comment
There was a problem hiding this comment.
Thanks for the details. Let's give it a shot!
tonyandrewmeyer
changed the title
This reverts commit 662d226.
|
|
||
| on: | ||
| pull_request_target: | ||
| pull_request_target: # zizmor: ignore[dangerous-triggers] Doesn't touch code - pull_request results in cancellation errors. |
There was a problem hiding this comment.
| pull_request_target: # zizmor: ignore[dangerous-triggers] Doesn't touch code - pull_request results in cancellation errors. | |
| # This trigger allows the action to access the PR content | |
| pull_request_target: # zizmor: ignore[dangerous-triggers] Doesn't touch code. |
IMO the cancellation errors are a red herring, and I thought I fixed those by using the PR number in the concurrency.group
If the action only really checks the PR title in the github context, then either pull_request or pull_request_target should work.
Is the action uses the GitHub API to look into the PR, then it must run on ..._target.
Your test may be misleading, because you are a member of this repo.
We'd need a fresh, unconnected github account to test.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
For the tracing publishing workflows, set the permissions to none and turn off storing the repo credentials, to match all the others. The tracing publishing uses uv - turn off copying artifacts to the GitHub actions cache, which can be dangerous (zizmor docs have details). For this specific use-case I don't think we would get any benefit from enabling the cache anyway. Handle the new rules around pinning but adding a config file that says we only need to pin to references. We'll move to some more specific hash pinning later.
3 participants
Changes:
persist-credentialsto false for all the checkouts, because we don't need to save those - we never do follow-up git commands.Many of the workflows are tested as part of this PR. I've tested most of the others in my fork - the exceptions are TIOBE, publishing (and test publishing), and updating charm pins. The changes are consistent across the workflows, so I don't expect any failures with those.